Raspberry Robin Scenario: Financial Branch Offices

Raspberry Robin Scenario: Financial Branch Offices

Sterling Financial Services: Financial services organization with 2,000 employees across 50 branches

Financial Removable-Media Outbreak • RaspberryRobin

STAKES

Customer trust + Branch transaction integrity + Regulatory posture + Operational continuity

HOOK

Branch support teams report removable media creating unexpected shortcut files on reconciliation workstations, unexplained process execution in branch middleware, and abnormal activity moving between branch and central operations systems. Security monitoring confirms recurring outbound sessions from transaction-support hosts while endpoint scans remain inconsistent.

PRESSURE

• Decision deadline: Thursday 16:30
• Branch scope: 50 active branch offices
• Exposure estimate: GBP 3.4 million projected incident response and customer-remediation exposure

FRONT • 120 minutes • Intermediate

Sterling Financial Services: Financial services organization with 2,000 employees across 50 branches

Financial Removable-Media Outbreak • RaspberryRobin

NPCs

• James Forsyth (CEO): Owns strategic response and customer-trust posture
• Priya Sharma (CTO): Leads branch-system triage and recovery sequencing
• Michael Thornton (CISO): Directs containment and evidential integrity controls
• Eleanor Davies (Head of Branch Operations): Coordinates branch execution and service continuity

SECRETS

• Removable-media workflows remained embedded in branch reconciliation and support routines
• Access boundaries around branch middleware exceeded least-privilege expectations
• Covert activity prioritized reconciliation and customer-support data before visible disruption

Raspberry Robin Scenario: Financial Branch Offices

Van der Berg Financiele Diensten: Financial services organization with 1,500 employees across 35 offices

Financial Removable-Media Outbreak • RaspberryRobin

STAKES

Customer trust + Branch transaction integrity + Regulatory posture + Operational continuity

HOOK

Branch support teams report removable media creating unexpected shortcut files on reconciliation workstations, unexplained process execution in branch middleware, and abnormal activity moving between branch and central operations systems. Security monitoring confirms recurring outbound sessions from transaction-support hosts while endpoint scans remain inconsistent.

PRESSURE

• Decision deadline: Thursday 16:30
• Branch scope: 35 active branch offices
• Exposure estimate: EUR 2.6 million projected incident response and customer-remediation exposure

FRONT • 120 minutes • Intermediate

Van der Berg Financiele Diensten: Financial services organization with 1,500 employees across 35 offices

Financial Removable-Media Outbreak • RaspberryRobin

NPCs

• Pieter van Dijk (CEO): Owns strategic response and customer-trust posture
• Annemarie Bos (CTO): Leads branch-system triage and recovery sequencing
• Jeroen Bakker (CISO): Directs containment and evidential integrity controls
• Marieke Smit (Head of Branch Operations): Coordinates branch execution and service continuity

SECRETS

• Removable-media workflows remained embedded in branch reconciliation and support routines
• Access boundaries around branch middleware exceeded least-privilege expectations
• Covert activity prioritized reconciliation and customer-support data before visible disruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Raspberry Robin Financial Branch Offices Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Raspberry Robin Financial Branch Offices Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It is Tuesday at 07:20 at Sterling Financial Services. Branch operations teams preparing opening reconciliation routines report suspicious shortcut files from removable media, unexplained process activity on branch support hosts, and anomalies across transaction-service pathways. Security staff detect repeated outbound sessions from systems involved in customer account operations. Leadership must contain the incident before branch operations and customer trust deteriorate.”

“Initial branch alert logged at 07:20. Regional context: UK.”

“Operational scale: Financial services organization with 2,000 employees across 50 branches.”

“It is Tuesday at 07:20 at Van der Berg Financiele Diensten. Branch operations teams preparing opening reconciliation routines report suspicious shortcut files from removable media, unexplained process activity on branch support hosts, and anomalies across transaction-service pathways. Security staff detect repeated outbound sessions from systems involved in customer account operations. Leadership must contain the incident before branch operations and customer trust deteriorate.”

“Initial branch alert logged at 07:20. Regional context: Netherlands.”

“Operational scale: Financial services organization with 1,500 employees across 35 offices.”

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Removable media creates suspicious shortcut files on branch reconciliation hosts”
• “Branch middleware shows unexplained process launches during opening routines”
• “Transaction-support systems report anomalies between branch and central services”
• “Encrypted outbound traffic persists from hosts handling customer-account support”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• Timeline analysis links propagation to routine removable-media branch workflows
• Access records indicate focus on reconciliation and support-data repositories
• Host artifacts suggest sustained reconnaissance before overt service interruption

Protector System Analysis:

Note🛡️ Protector System Analysis

• Endpoint triage confirms propagation indicators across branch support infrastructure
• Control review identifies overtrusted update and transfer pathways
• Containment must preserve evidence while reducing branch-service risk immediately

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Beaconing and staged transfers indicate coordinated command infrastructure behavior
• Lateral traces map movement between branch and central transaction pathways
• Telemetry profile matches removable-media reconnaissance in distributed operations

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Branch leadership needs clear continuation criteria for customer-facing operations
• Service teams require defensible language for customer trust communications
• Oversight stakeholders need confidence-scoped status and evidence controls

Mid-Scenario Pressure Points:

• Hour 1: Branch managers report anomalies on high-volume transaction-support workflows
• Hour 2: Leadership cannot verify reliability of current reconciliation records
• Hour 3: Customer confidence pressure rises as branch disruptions expand
• Hour 4: Contractual and regulatory risk escalates while scope remains unresolved

Evolution Triggers:

• If removable-media controls lag, propagation continues through routine branch operations
• If systems are reset too early, evidence quality and compliance posture weaken
• If communication is delayed, customer trust degrades faster than technical recovery

Resolution Pathways:

Technical Success Indicators:

• Propagation paths are removed and branch systems return to trusted baselines
• Forensic timeline and transaction evidence are preserved for oversight review
• Removable-media governance is hardened across branch operations

Business Success Indicators:

• Branch continuity decisions remain defensible under documented risk analysis
• Customer messaging remains timely, accurate, and confidence-scoped
• Incident response preserves trust while restoring reliable branch operations

Learning Success Indicators:

• Team recognizes removable-media propagation in distributed financial environments
• Participants balance containment urgency with evidence-quality discipline
• Group coordinates branch operations, cybersecurity, and oversight decision-making

Common IM Facilitation Challenges:

If Teams Focus Only on Central Systems:

“Which controls must be executed at branch level in the next hour to reduce customer impact?”

If Teams Delay Oversight Coordination:

“ICO and FCA contacts request incident status, evidential controls, and assurance that branch transaction records remain reliable.”

“Autoriteit Persoonsgegevens and AFM contacts request incident status, evidential controls, and assurance that branch transaction records remain reliable.”

If Teams Skip Trust-Restoration Planning:

“What evidence threshold is required before issuing branch transaction-integrity assurances?”

Success Metrics for Session:

• Team identifies removable-media propagation paths affecting branch support systems
• Containment actions reduce customer impact while preserving evidence quality
• Oversight and customer communication remains timely and defensible
• Branch continuity decisions align with verified integrity confidence
• Long-term distributed financial resilience controls are clearly scoped

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Detect removable-media propagation and set immediate branch protections
Key Actions: Scope exposure, preserve evidence, and set initial customer-trust posture

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate branch triage, customer communication, and oversight escalation
Key Actions: Validate integrity confidence, isolate high-risk workflows, align branch messaging

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end branch-network response under customer and regulatory pressure
Key Actions: Balance service continuity with defensible containment and compliance posture

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous transaction evidence, multi-branch coordination, and authority conflict
Additional Challenges: Compressed deadlines and contested operational governance decisions

🌍 Localizing to Other EU Countries

This Dutch variation can be adapted to other EU countries during facilitation. EU members share GDPR, but financial oversight and cyber authorities differ by jurisdiction.

When localizing this branch-office financial scenario, substitute the relevant institutions below:

Country	Data Protection Authority	Financial Regulator	Cyber Agency	Operational Note
France	CNIL	AMF / ACPR	ANSSI	Strong centralized financial oversight model
Germany	BfDI	BaFin	BSI	Federal structure with regional execution differences
Denmark	Datatilsynet	Finanstilsynet	CFCS	Highly digital financial-service operations
Sweden	IMY	Finansinspektionen	CERT-SE	Distributed branch and digital banking mix
Italy	Garante Privacy	Banca d'Italia / CONSOB	ACN	Multi-regulator coordination for incident reporting

Notes:

• Regulatory overlap: Financial and privacy authorities may both require notification based on incident scope.
• Branch dependence: Local branch workflows can create operational variance across countries.
• Facilitation: Keep technical flow constant and localize only institutions and legal framing.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

• Clue 1 (Minute 5): Security operations at Sterling Financial Services confirms removable-media propagation across branch support systems.
• Clue 2 (Minute 10): Eleanor Davies confirms unexplained access to branch reconciliation records and customer-account support artifacts tied to this week’s transaction windows.
• Clue 3 (Minute 15): CEO James Forsyth opens a crisis briefing and states that customer confidence cannot absorb uncertainty in branch transaction integrity. CTO Priya Sharma confirms suspicious execution patterns in branch support workflows. CISO Michael Thornton reports propagation indicators linked to removable-media usage in daily reconciliation routines. Head of Branch Operations Eleanor Davies requests immediate guidance for branch-level containment and customer-service continuity.

• Clue 1 (Minute 5): Security operations at Van der Berg Financiele Diensten confirms removable-media propagation across branch support systems.
• Clue 2 (Minute 10): Marieke Smit confirms unexplained access to branch reconciliation records and customer-account support artifacts tied to this week’s transaction windows.
• Clue 3 (Minute 15): CEO Pieter van Dijk opens a crisis briefing and states that customer confidence cannot absorb uncertainty in branch transaction integrity. CTO Annemarie Bos confirms suspicious execution patterns in branch support workflows. CISO Jeroen Bakker reports propagation indicators linked to removable-media usage in daily reconciliation routines. Head of Branch Operations Marieke Smit requests immediate guidance for branch-level containment and customer-service continuity.

Pre-Defined Response Options

• Option A: Evidence-First Branch Containment

  • Action: Isolate affected branch systems, preserve artifacts, and enforce staged branch recovery with explicit transaction validation.
  • Pros: Maximizes evidence quality and long-term trust defensibility.
  • Cons: Near-term branch throughput pressure and service disruption risk.
  • Type Effectiveness: Super effective for durable branch-network resilience.

• Option B: Continuity-First Operations

  • Action: Maintain broad branch operations while applying targeted controls to high-risk workflows.
  • Pros: Preserves near-term customer service continuity.
  • Cons: Higher probability of continued propagation and integrity uncertainty.
  • Type Effectiveness: Partially effective with elevated trust risk.

• Option C: Phased Integrity Restoration

  • Action: Prioritize highest-risk branches and restore remaining workflows in controlled waves.
  • Pros: Balances operational urgency with verification discipline.
  • Cons: Extended uncertainty can strain customer confidence.
  • Type Effectiveness: Moderately effective with strict governance.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Branch-System Exposure (30-35 min)

• Opening: CEO James Forsyth opens a crisis briefing and states that customer confidence cannot absorb uncertainty in branch transaction integrity. CTO Priya Sharma confirms suspicious execution patterns in branch support workflows. CISO Michael Thornton reports propagation indicators linked to removable-media usage in daily reconciliation routines. Head of Branch Operations Eleanor Davies requests immediate guidance for branch-level containment and customer-service continuity.
• Clue 1 (Minute 10): Endpoint telemetry indicates propagation behavior tied to branch reconciliation routines.
• Clue 2 (Minute 20): Eleanor Davies confirms unexplained access to branch reconciliation records and customer-account support artifacts tied to this week’s transaction windows.

• Opening: CEO Pieter van Dijk opens a crisis briefing and states that customer confidence cannot absorb uncertainty in branch transaction integrity. CTO Annemarie Bos confirms suspicious execution patterns in branch support workflows. CISO Jeroen Bakker reports propagation indicators linked to removable-media usage in daily reconciliation routines. Head of Branch Operations Marieke Smit requests immediate guidance for branch-level containment and customer-service continuity.
• Clue 1 (Minute 10): Endpoint telemetry indicates propagation behavior tied to branch reconciliation routines.
• Clue 2 (Minute 20): Marieke Smit confirms unexplained access to branch reconciliation records and customer-account support artifacts tied to this week’s transaction windows.

Round 2: Oversight and Customer Decisions (30-35 min)

• Clue 3 (Minute 35): ICO and FCA contacts request incident status, evidential controls, and assurance that branch transaction records remain reliable.
• Clue 4 (Minute 45): NCSC reports recurring campaigns where removable-media propagation in financial environments enabled sustained reconnaissance before customer-facing disruption.
• Pressure Event (Minute 55): “Leadership requires a branch-operations and communication decision by Thursday 16:30.”
• Coordination Note: “Immediate external coordination: NCSC and NCA plus ICO and FCA supervisory channels under UK GDPR with FCA and PRA operational expectations.”

• Clue 3 (Minute 35): Autoriteit Persoonsgegevens and AFM contacts request incident status, evidential controls, and assurance that branch transaction records remain reliable.
• Clue 4 (Minute 45): NCSC-NL reports recurring campaigns where removable-media propagation in financial environments enabled sustained reconnaissance before customer-facing disruption.
• Pressure Event (Minute 55): “Leadership requires a branch-operations and communication decision by Thursday 16:30.”
• Coordination Note: “Immediate external coordination: NCSC-NL and Team High Tech Crime plus Autoriteit Persoonsgegevens and AFM supervisory channels under GDPR with AFM and DNB operational expectations.”

Debrief Focus

• How removable-media propagation alters risk assumptions in distributed branch environments
• What evidence quality is required before customer transaction-integrity assurances
• Which branch procedures should be redesigned for future resilience
• How to align cybersecurity response with overlapping financial and privacy obligations